Sunday, January 18, 2009

Active directory management permissions

Our user accounts aren't, inexplicably, created within the IT team. That's a fight for another day, but right now I'm securing our Active directory, specifically against the people whose jobs it is to create our users, non of whom is anything else other than an IT part-timer. Unbelievably, they've been given full admin rights up to now, but today that stops.

So what I've done instead is to:

  • save an .msc file of the AD users and computers MMC snap in.
  • Create a user group called Account Managers and add these staff to it. I've granted this group Read Access to the .msc file, and provided them with the file path to it.
  • Give the Account Managers the neccesary permissions - Read, Write and Modify - to the OU's in which our user accounts (not our System Accounts - they're somewhere else)
  • Delegated control of user accounts by right-clicking on the root domain in AD Users and Computers and - well, just walking through the wizard.
  • Remove our users from the Admin groups
I'm sure there's going to be some whingeing sometime soon, but that I can handle, by the old-school SysAdmin technique of hiding behind my manager. Hey, it's what he's there for. And I'll sleep just a little bit better tonight, although I know I'll wake up tomorrow and find something else that frightens me.

No comments:

Post a Comment

I'm having a look. Deal with it.